Skocz do zawartości
Technic

Iptables

Polecane posty

Witam,

Zakupiłem sobie dedyka, pomyślałem że warto go jakoś zabezpieczyć, znalazłem ciekawie wyglądający skrypt, jednak krzaczy się on, a aj nie potrafie tego rozwiązać, bardzo proszę o pomoc. Chodzi o to że skrypt nie przepuszcza niczego za wyjątkiem połączeń już ustabilizowanych.

 

#!/bin/sh
# 
# In order to use this IPTables firewall script you
# must have IPTables installed. You also must be using 
# a 2.4.x series Kernel, with IPTables support complied 
# into it, which is standard for most newer Linux distributions.
#
# If you need help compiling IPtables into your kernel, please
# see our Kernel Compile/Upgrade Guide located at 
# www.linuxhelp.net/guides/
#
# Once the script has been edited with all your relevant
# information (IP's, Network Interfaces, etc..) simply
# make the script executable and run it as root.
#
# chmod 700 iptables-firewall
# ./iptables-firewall
#
# If you would like to see what rules are currently set, as
# root run iptables -L
#
# If you've messed up and need to bring down the firewall 
# for whatever reason, run iptables -F
#
# If you would like to have the firewall automatically
# come up at boot time, add the path to the script to
# the bottom of your /etc/rc.d/rc.local file. For instance
# /root/bin/iptables-firewall
#
# If you're not sure about something, check out the iptables
# man page by typing 'man iptables' (without the ''s) at the
# command prompt.
#
# This script is an enhanced/modified version of the 
# iptables-script written by Davion 
# 
# If you have any questions, please come see us in #Linuxhelp.net
# on the DALnet IRC network. (www.linuxhelp.net/ircinfo.shtml)

# The location of the IPtables binary file on your system.
IPT="/sbin/iptables"

# The Network Interface you will be protecting. For ADSL/dialup users,
# ppp0 should be fine. If you are using a cable internet connection or
# are connected to a LAN, you will have to change this to "eth0".
INT="eth0"

# The following rules will clear out any existing firewall rules, 
# and any chains that might have been created.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# The following line below enables IP forwarding and thus 
# by extension, NAT. Turn this on if you're going to be 
# doing NAT or IP Masquerading.
#echo 1 > /proc/sys/net/ipv4/ip_forward

# Source NAT everything heading out the $INT (external) 
# interface to be the given IP. If you have a dynamic IP 
# address or a DHCP IP that changes semi-regularly, comment out 
# the first line and uncomment the second line.
#
# Remember to change the ip address below to your static ip.
#
$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 91.205.75.65
#$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE

# This rule protects your fowarding rule.
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP

# If you would like to forward specific ports to other machines
# on your home network, edit and uncomment the rules below. They are
# currently set up to forward port 25 & 53 (Mail & DNS) to 10.1.1.51. 
# Anything incoming over your $INT through your gateway will 
# be automatically redirected invisibly to port 25 & 53 on 10.1.1.51
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to 10.1.1.51:25
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to 10.1.1.51:53
#$IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to 10.1.1.51:53

# These two redirect a block of ports, in both udp and tcp.
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 2300:2400 -j DNAT --to 10.1.1.50
#$IPT -t nat -A PREROUTING -i $INT -p udp --dport 2300:2400 -j DNAT --to 10.1.1.50


# Now, our firewall chain. We use the limit commands to 
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPT -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPT -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPT -A badflags -j DROP

# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP

# This rule will accept connections from local machines. If you have
# a home network, enter in the IP's of the machines on the 
# network below.
$IPT -A INPUT -i lo -j ACCEPT
#$IPT -A INPUT -s 10.1.1.50 -d 0/0 -p all -j ACCEPT
#$IPT -A INPUT -s 10.1.1.51 -d 0/0 -p all -j ACCEPT
#$IPT -A INPUT -s 10.1.1.52 -d 0/0 -p all -j ACCEPT

# Drop those nasty packets! These are all TCP flag 
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that 
# are used to attack a box in various ways, so we 
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall

# If you would like to open up port 22 (SSH Access) to various IP's
# simply edit the IP's below and uncomment the line. If youw wish to 
# enable SSH access from anywhere, uncomment the second line only. 
#$IPT -A INPUT -i $INT -s 10.1.1.1 -d 0/0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT

# If you are running a Web Server, uncomment the next line to open
# up port 80 on your machine.
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT

# Lets do some basic state-matching. This allows us 
# to accept related and established connections, so
# client-side things like ftp work properly, for example.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Uncomment to drop port 137 netbios packets silently. 
# We don't like that netbios stuff, and it's way too 
# spammy with windows machines on the network.
$IPT -A INPUT -p udp --sport 137 --dport 137 -j silent

# Our final trap. Everything on INPUT goes to the dropwall 
# so we don't get silent drops.
$IPT -A INPUT -j dropwall

 

Dziękuję.

Udostępnij ten post


Link to postu
Udostępnij na innych stronach
Gość N3T5kY

Jeśli "mniej" się znasz zainteresuj się CSF - bardzo proste w konfiguracji.

 

http://configserver.com/cp/csf.html

 

krótki opis instalacji:

 

wget http://configserver.com/free/csf.tgz
tar -zxvf csf.tgz
cd csf
sh install.sh

 

potem w opcjach zmieniasz "testing" na 0, i dostosowujesz resztę

 

integruje się z DA/Webmin/cp

Udostępnij ten post


Link to postu
Udostępnij na innych stronach

Albo Shorewall. Całkiem przyjemnie się konfiguruje ;)

Udostępnij ten post


Link to postu
Udostępnij na innych stronach

W zasadzi wszystko wydaje się działać, mam tylko jeden błąd:

FATAL: Could not load /lib/modules/2.6.18-164.2.1.el5.028stab066.10/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.18-164.2.1.el5.028stab066.10/modules.dep: No such file or directory

Ale pogoogluje i się naprawi

Udostępnij ten post


Link to postu
Udostępnij na innych stronach

Bądź aktywny! Zaloguj się lub utwórz konto

Tylko zarejestrowani użytkownicy mogą komentować zawartość tej strony

Utwórz konto

Zarejestruj nowe konto, to proste!

Zarejestruj nowe konto

Zaloguj się

Posiadasz własne konto? Użyj go!

Zaloguj się


×